The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Dr. Web's count of Macs actively infected with Flashback over time. The "A" marks Apple's release of its Flashback removal tool, and the "B" marks Dr. Web's discovery of another variant of Flashback that led to an increase in its infection count.

The creators of the Flashback trojan have made their mark as the first Mac-targeting malware authors to create an enormous, half-million strong botnet. But their fun is nearly over.

Dr. Web, the Russian security firm that discovered the massive Flashback botnet last month, has provided new data on the number of Macs still infected with the software. The results show that while close to 460,000 machines remain infected, the botnet is shrinking at a rate of close to a hundred thousand machines a week as Mac users get around to downloading Apple's tool for disinfecting their machines or installing antivirus. (See the chart above.)

"It's going very slowly, and there's still a ways to go, but I think in a month it will be over," says Boris Sharov, Dr. Web's chief executive.

Dr. Web's count of Macs newly infected with Flashback on any given day.

New Flashback infections have also practically halted, as Apple's update to Java has prevented the exploit Flashback used to silently install itself on victim machines from hijacked WordPress blogs. (See the chart at left.)

Sharov says the disinfection rate has proceeded much slower than it would have for a Windows-targeted botnet, due to what he sees as Mac users' overconfident attitude toward their computers' security, which has led to slow adoption of Apple's disinfection tool and low rates of antivirus installations among Apple users.

"For a PC it would have been much, much quicker. Only the last ten percent of users would remain infected for weeks like this," says Sharov. "What we're seeing is the actual disinfection pace when you don’t have antivirus."

Antivirus researchers estimate that more than 700,000 computers were infected with Flashback at its peak. Antivirus firm Symantec reported much smaller numbers than Dr. Web, but eventually conceded that a flaw in its methodology had led it to miss a large portion of the infection Dr. Web was counting. Even Dr. Web initially counted close to 650,000 infected machines, but found on April 16th that a new variant of the malware wasn't being included in its measurement, adding more than a hundred thousand machines to its count.

Flashback has been used for click fraud, as detailed by Symantec's researchers. The malware redirected traffic from Google search ads to its own pay-per-click ads, generating as much as $10,000 a day.

Even with its command and control servers disabled, the infected machines continue to engage in that traffic-hijacking. And with nearly half a million users still infected, Flashback's authors are still likely profiting from their scheme.